As the Web evolves, HTTPS is essential for modern websites. If you want a free certificate, Let’s Encrypt is a good choice, and its main purpose is to advance the HTTPS process for web sites.

Thanks to Let’s Encrypt’s free certificate

With helm, it is easy to configure HTTPS for domain names in the K8S cluster, and it is easy to configure certificates for Ingress in K8S after successfully deploying resources: just add two more lines of code to the Ingress

This article will show you how to configure HTTPS for your domain name in just three steps

Before this article, assume that at this point you have been able to configure Ingress and successfully access your domain name. If not, you can refer to the previous articles in this series

  • Deploy your first Application: Pod, Application, and Service
  • Access your application via an external domain name: Ingress

If it is helpful to you, please help me click a star on shfshanyue/op-note.

01 Deploying cert-Manager using the HELM

We chose the helm Chart JetStack/cert-Manager to deploy HTTPS. Currently, jetStack/Cert-Manager has 4.4K Star on Github.

Automatically configure HTTPS for Ingress if you want to use Let’s Encrypt. The following parameters need to be specified for Helm Chart at deployment time.

ingressShim.defaultIssuerName=letsencrypt-prod
ingressShim.defaultIssuerKind=Issuer
Copy the code

Here is the documentation for Issuers

The deployment process is as follows. Helm V3 is used

Need some CRDS before deployment
$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml

# add REPO for helm
$ helm repo add jetstack https://charts.jetstack.io

Use helm V3 to deploy
$ helm install cert-manager jetstack/cert-manager --set "ingressShim.defaultIssuerName=letsencrypt-prod,ingressShim.defaultIssuerKind=Issuer"NAME: cert-manager LAST DEPLOYED: 2019-10-26 21:27:56.488948248 +0800 CST M =+2.081581159 NAMESPACE: default STATUS: DEPLOYED deployed NOTES: cert-manager has been deployed successfully! In order to begin issuing certificates, you will need toset up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://docs.cert-manager.io/en/latest/reference/issuers.html

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://docs.cert-manager.io/en/latest/reference/ingress-shim.html
Copy the code

Verify the CRD and POD deployment status to check whether the verification is successful

$ kubectl get crd
NAME                                  CREATED AT
certificaterequests.cert-manager.io   2019-10-26T01:16:21Z
certificates.cert-manager.io          2019-10-26T01:16:21Z
challenges.acme.cert-manager.io       2019-10-26T01:16:21Z
clusterissuers.cert-manager.io        2019-10-26T01:16:24Z
issuers.cert-manager.io               2019-10-26T01:16:24Z
orders.acme.cert-manager.io           2019-10-26T01:16:21Z

$ kubectl get pods
NAME                                             READY   STATUS    RESTARTS   AGE
cert-manager-5d8fd69d88-s7dtg                    1/1     Running   0          57s
cert-manager-cainjector-755bbf9c6b-ctkdb         1/1     Running   0          57s
cert-manager-webhook-76954fcbcd-h4hrx            1/1     Running   0          57s
Copy the code

02 Configuring ACME Issuers

Set kind to Issuer and change the email address of Issuer to your own email address. Configure the Issuer resource as follows

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx
Copy the code

The kubectl apply-f deployment takes effect

$ kubectl apply -f letsencrypt-issue.yaml
Copy the code

03 Add annotations for Ingress

Specifying Annotations when deploying the Ingress makes it easy to configure the certificate

annotations:
  kubernetes.io/ingress.class: "nginx"
  cert-manager.io/issuer: "letsencrypt-prod"
Copy the code

The full configuration of Ingress is as follows, you can also view the full configuration of Deployment, Service to Ingress on my Github: shfshanyue/learn-k8s:/conf/nginx.yaml

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: nginx-service-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/issuer: "letsencrypt-prod"
spec:
  tls:
  - hosts:
    - nginx.xiange.tech
    secretName: nginx-tls
  rules:
  - host: nginx.xiange.tech
    http:
      paths:
      - backend:
          serviceName: nginx-service
          servicePort: 80
        path: /
Copy the code

Verify the certificate status with Ready set to True

Because the image is in quay. IO, the pull image takes too long, which may take 10 minutes

$ kubectl get certificate
NAME        READY   SECRET      AGE
nginx-tls   True    nginx-tls   44h

$ kubectl describe certificate nginx-tls
Name:         nginx-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1alpha2
Kind:         Certificate
Metadata:
  Creation Timestamp:  2019-10-26T13:30:06Z
  Generation:          1
  Owner References:
    API Version:           extensions/v1beta1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  nginx-service-ingress
    UID:                   c9abc7b7-45da-431b-b732-e535a809dfdd
  Resource Version:        2822740
  Self Link:               /apis/cert-manager.io/v1alpha2/namespaces/default/certificates/nginx-tls
  UID:                     ccb3aa54-e967-4813-acbe-41d9801f29a6
Spec:
  Dns Names:
    nginx.xiange.tech
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       Issuer
    Name:       letsencrypt-prod
  Secret Name:  nginx-tls
Status:
  Conditions:
    Last Transition Time:  2019-10-26T13:43:02Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2020-01-24T12:43:01Z
Events:                    <none>
Copy the code

Access the domain name configured in the Ingress, and the small lock in the upper left corner of the Chrome browser indicates that the HTTPS configuration is successful

reference

  • Automatically creating Certificates for Ingress resources
  • Setting up ACME Issuers
  • Get Automatic HTTPS with Let’s Encrypt and Kubernetes Ingress